Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CRYP TAP-2 Virus and jkhhh.dll


  • Please log in to reply
7 replies to this topic

#1 StudlyMcMuffin

StudlyMcMuffin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 09 March 2008 - 12:19 PM

Hi, I have the same issue. I am using PC-Cillin and cleaned my box last night with great success except for CRYP TAP-2.

i have a PC and am using Windows XP Version 2002 - no other security software included.

suggestions?

(logs have been edited to reduce space)
"Virus Scan","2008/03/08","XPS600"
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"20:33","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:33","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:33","Real-time Protection","File","TROJ_ZENO.BX","C:\WINDOWS\system32\lan34\sysdr659.exe","Quarantine Success",""
"20:33","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:33","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""


"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","TROJ_Generic","C:\Program Files\MSN\lawugewi.dll","Quarantine Success",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:35","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""

"20:41","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:41","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:41","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:41","Real-time Protection","File","PE_Generic","C:\winlogon.exe","Clean Fail","Quarantine Success"
"20:41","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:41","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""

"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Manual Scan","File","TROJ_Generic","C:\Documents and Settings\Carl\Local Settings\Temp\cmdinst.exe","Quarantine Success",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Manual Scan","File","Cryp_Tap-2","C:\Documents and Settings\Carl\Local Settings\Temporary Internet Files\Content.IE5\4SGB5NM8\aqua3d[1]","None Taken",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:49","Manual Scan","File","TROJ_Generic","C:\Documents and Settings\Carl\Local Settings\Temporary Internet Files\Content.IE5\4SGB5NM8\installer[1].exe","Quarantine Success",""
"20:49","Manual Scan","File","TROJ_Generic","C:\Documents and Settings\Carl\Local Settings\Temporary Internet Files\Content.IE5\4SGB5NM8\tk58[1].exe","Quarantine Success",""
"20:49","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"20:50","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""

"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Manual Scan","File","TROJ_DLOADER.DTK","C:\WINDOWS\system32\ech5\vomb33dll.exe","Quarantine Success",""
"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Manual Scan","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:42","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""

"21:43","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:43","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:43","Manual Scan","File","TROJ_Generic","C:\WINDOWS\tk58.exe","Quarantine Success",""
"21:43","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:43","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""
"21:43","Real-time Protection","File","Cryp_Tap-2","C:\WINDOWS\system32\jkhhh.dll","None Taken",""

Edited by Orange Blossom, 09 March 2008 - 03:07 PM.
Split to its own topic


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:12 PM

Posted 09 March 2008 - 02:54 PM

Hi StudlyMcMuffin and welcome to Bleeping Computer.

C:\WINDOWS\system32\jkhhh.dll
relates to a 'Vundo' infection.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Post the results and we'll take it from there.

Edited by Starbuck, 09 March 2008 - 02:55 PM.

unite1.png


#3 StudlyMcMuffin

StudlyMcMuffin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 09 March 2008 - 03:56 PM

VundoFix V7.0.1

Scan started at 3:26:30 PM 3/9/2008

Listing files found while scanning....

C:\windows\system32\hhhkj.ini
C:\windows\system32\hhhkj.ini2
C:\windows\system32\jkhhh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hhhkj.ini
C:\windows\system32\hhhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\hhhkj.ini2
C:\windows\system32\hhhkj.ini2 Has been deleted!

Attempting to delete C:\windows\system32\jkhhh.dll
C:\windows\system32\jkhhh.dll Has been deleted!

Performing Repairs to the registry.
Done!


OKAY, THEN. NOW WHAT? THE PC-CILLIN NOTIFICATION OF THIS VIRUS IS STILL ACTIVE.
the infected files now list

dtqmevhl.dll
mllml.dll
jeupkvwp.dll

Edited by StudlyMcMuffin, 09 March 2008 - 04:03 PM.


#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:12 PM

Posted 09 March 2008 - 05:11 PM

Ok, StudlyMcMuffin

OKAY, THEN. NOW WHAT? THE PC-CILLIN NOTIFICATION OF THIS VIRUS IS STILL ACTIVE.
the infected files now list

Just calm down.
Just because we got rid of the vundo infection.... doesn't mean the other files are Vundo related.
mllml.dll is a component of 'WinFixer' which is a different infection all together.
As of yet,
dtqmevhl.dll
jeupkvwp.dll

are unlisted. so they'll be fun.

So, to try and deal with the mllml.dll.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Post the report back and i'll take a look.
If the infection is showing in the Smitfraud report, we'll go on to cleaning that.

unite1.png


#5 StudlyMcMuffin

StudlyMcMuffin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 09 March 2008 - 06:51 PM

Here is the scan report

SmitFraudFix v2.301

Scan done at 18:50:53.03, Sun 03/09/2008
Run from C:\Temp\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Leica Geosystems\Cyclone\CyraLicense.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Leica Geosystems\Cyclone\ptserv32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccVScan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tsc.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Carl


C:\Documents and Settings\Carl\Application Data


Start Menu


C:\DOCUME~1\Carl\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


Rustock



DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 24.93.41.127
DNS Server Search Order: 24.93.41.128

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0935C843-15E7-4A04-8130-1EC9B080B228}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1957BD9F-E81B-4DDC-9300-E48EA7935A8F}: DhcpNameServer=24.93.41.127 24.93.41.128
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3298F50C-DA8E-40D4-B1F6-9007C49CD531}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7F0F977-C509-48CC-9170-038699AEC20C}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0935C843-15E7-4A04-8130-1EC9B080B228}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3298F50C-DA8E-40D4-B1F6-9007C49CD531}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6FD60775-3D3F-4701-B4ED-4007E35A8983}: DhcpNameServer=10.10.0.11 10.10.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C369F8FB-7E9C-483A-A99B-EDE58A59C28F}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7F0F977-C509-48CC-9170-038699AEC20C}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EADC4F21-6A0A-4E07-A436-A9E29E116590}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0935C843-15E7-4A04-8130-1EC9B080B228}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1957BD9F-E81B-4DDC-9300-E48EA7935A8F}: DhcpNameServer=24.93.41.127 24.93.41.128
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3298F50C-DA8E-40D4-B1F6-9007C49CD531}: DhcpNameServer=66.90.132.162 66.90.130.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E7F0F977-C509-48CC-9170-038699AEC20C}: DhcpNameServer=24.93.41.125 24.93.41.126
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.127 24.93.41.128
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.10.0.11 10.10.0.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.127 24.93.41.128


Scanning for wininet.dll infection


End

Edited by StudlyMcMuffin, 09 March 2008 - 06:57 PM.


#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:12 PM

Posted 10 March 2008 - 05:02 AM

Hi StudlyMcMuffin

Your problem is a little more serious than we thought.
These are really bad:
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\mrofinu1188.exe


Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply.

unite1.png


#7 StudlyMcMuffin

StudlyMcMuffin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 15 March 2008 - 03:25 PM

SDFix: Version 1.157

Run by Carl on Sat 03/15/2008 at 02:41 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\WINDOWS\system\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\PROGRA~1\MSN\LAWUGEWI - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\Temporary\InsiDERInst.exe - Deleted
C:\n.bat - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe.tmp - Deleted
C:\x.dat - Deleted
C:\z.dat - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\Fonts\svchost.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\drivers\NWLNKF~1.sys - Deleted



Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 14:49:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\x90\x2022\x20ac|\xff\xff\xff\xff"\x2022\x20ac|\xfe\xbb\xd4w\2]
"91A14B995DF7C0B42ABAA16065968F3A"="C:\Program Files\Alias\Maya7.0\presets\Ashli\"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\WINDOWS\system\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\Q2FybA\command.exe"
Sun 23 Sep 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 7 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITB.tmp"
Sun 10 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITC.tmp"
Wed 27 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITD.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BITA.tmp"
Thu 6 Sep 2007 0 ...H. --- "C:\Documents and Settings\Carl\Application Data\Microsoft\Word\~WRL0521.tmp"
Thu 9 Aug 2007 24,663 ..SHR --- "C:\Documents and Settings\Carl\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"

Finished!


The PC-cillin warning still says that Cryp Tap-2 is present in file 'pmkjh.dll'

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:12 PM

Posted 15 March 2008 - 05:50 PM

Hi StudlyMcMuffin
Seems you were more infected than you thought.
To be honest, it's difficult with not being able to see certain logs and reports.
Therefore i'd like to suggest that you continue with this in the Hjt room.
It may help to give a link to this thread in your post, that way the helper can see what's been going on with your system.

A member of the HijackThis Team will walk you through, step by step, how to disinfect your computer.

Read the Preparation Guide before posting a HijackThis Log.
Please read, and follow, all directions carefully

Run a log, and post it in the HijackThis Logs and Analysis forum.

Do not, post it in this topic.
Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response from the HJT Team, because they are very busy. Please, be patient, as these people are volunteers. They will help you, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.


If you haven't heard back from them in 5 days, go to this topic, Haven't Had A Reply In Five Days?, and carefully follow all directions.

unite1.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users